Network security management is becoming a more difficult problem as networks grow in size and become a more integral part of organizational operations. Attacks on networks are growing both due to the intellectual challenge such attacks represent for hackers and due to the increasing payoff for the serious attacker. Furthermore, the attacks are growing beyond the current capability of security management tools to identify and quickly respond to those attacks. As various attack methods are tried and ultimately repulsed, the attackers will attempt new approaches with more subtle attack features. Thus, maintaining network security is an on-going, ever changing, and increasingly complex problem.
Computer network attacks can take many forms and any one attack may include many security events of different types. Security events are anomalous network conditions each of which may cause an anti-security effect to a computer network. Security events include producing network damage through mechanisms such as viruses, worms, or Trojan horses and overwhelming the network's capability in order to cause denial of service, and so forth.
Generally, a computer virus is a program that is capable of attaching to other programs or sets of computer instructions, replicating itself, and performing unsolicited or malicious actions on a computer system. The damage done by computer viruses, including trojans, may range from mild interference with a program, such as the display of an unwanted political message in a dialog box, to the complete destruction of data on a user's hard drive.
In many cases users utilize a security system such as a personal firewall to protect themselves, or some intrusion detection software. Security systems often employ security risk-management tools, i.e. “scanners,” to search for known types of security events in the form of malicious programs such as viruses, worms, and Trojan horses. Further, scanners are used for content filtering to enforce an organization's operational policies, i.e. detecting harassing or pornographic content, junk e-mails, misinformation (virus hoaxes), etc.
FIG. 1 is a representation of a typical virus signature 100. As shown, the typical virus signature 100 has two components: a file component 102 used to scan a file system and a memory component 104 used to scan memory of the target device.
One problem of prior art is that anti-virus software is limited to actions and effects within the file system and memory of a device, because the virus signature files are limited to these. At the current time, there is no ability for anti-virus products to detect certain behaviors coming from outside these areas, and/or actions/intrusions taken by some malicious viral or code threats.
In addition, intrusion detection systems can be inaccurate when subjected to large amounts of data, resulting in missed viral detection and false alarms. Another disadvantage of the prior art is that scanning data coming into a network requires a substantial amount of resources. It is estimated that new viruses are created at a rate of over 100 per month. This rate has resulted in a need for tens of thousands of virus signatures to be searched in suspect data. This, in turn, has resulted in virus searching algorithms requiring a large amount of time and computer resources when scanning for virus signatures.
What is needed is a way to efficiently detect malicious code entering or leaving a system in a stream of data. What is also needed is a way to limit the analysis to known viruses, thereby substantially reducing the number of false alarms.